On Tue, 6 Sep 2005, Lasse [iso-8859-1] Mørk wrote:
> Anyway. It could be interestering to know what to look for in the
> accesslog....
A I said in my last message:
>> What you should look out for is odd patterns in
>>
>> - Same client making very many requests to a given server
>> - Long running CONNECT requests
>> - CONNECT requests to odd ports (there is good reasons why the default
>> config restricts CONNECT to a small set of well known ports only).
>>
>> And if you enable log_mime_hdrs these tunnelin agents sometimes can be
>> identified by their request or response headers. If such identification
>> can be done then you can make Squid access rules imposing a general ban of
>> the use of that relay agent (at least until the agent is changed to use
>> other request/response headers...)
Regards
Henrik
Received on Thu Sep 08 2005 - 12:18:39 MDT
This archive was generated by hypermail pre-2.1.9 : Sat Oct 01 2005 - 12:00:03 MDT